877-DATA-EXAM [877-328-2392]
When Your Data Really Matters.

What Are You Giving Away?

by Rick Albee

Addressing Your Concern

Several investigators who wanted to get a new computer, but were concerned about the data on the old machine have recently contacted me. They were apprehensive about the data remaining on the old computer--as well they should be. This article is in response to those concerns.

First, let me reiterate what I say in my presentations on computer forensics: The hard drive is gold to me. It holds the data you want to protect. The hard drive is your only concern. Yes there is data in RAM, and yes the CMOS chip holds the date code, but none of that is of concern when recycling a computer. Be worried about the hard drive only. The other is inconsequential.

Lookey What I Found

Several years ago I needed to do some specific testing on disposable hard drives, beta testing new software, etc. All the HDDs (hard drives) in my storage were too large, too small, or already committed. The computer swap meet was coming up, so I picked up several "throw-away" HDDs dirt-cheap. They were represented as having been wiped of all data, but on the way home I got to wonder about that. People who had upgraded their machine, or traded it in had recycled the HDDs. Regardless of the representation that the drives were clean; I knew that at one time there had been someone's personal information on the drives.

Before using the HDDs for my purposes, I decided to check the drives, and immediately discovered that they were not wiped, which leaves a distinctive hexadecimal footprint that is forensically discernable.

Among other personal information, the drives still had personal address books, a client list from a business, several complete e-mail and Internet histories, and on one drive there remained illegal material, which immediately got wiped!

Graduate students at the Massachusetts Institute of Technology did research on this subject. They purchased over a gross of used HDDs from various sources, including computer stores, eBay, and swap meets. Of the drives, 81% of them worked fine. Of those that worked, 53% still had data on them, and 37% of them still retained significant personal information including intimate letters, medical records, bank transactions and credit card information.

From previous year's numbers, I'm guessing that about 500,000 HDDs now get discarded, in some manner, every year, and the number is growing. Obviously, a great number of those recycled HDDs are put back into the second-hand market.

Imagine the liability for a private investigator who gets a new computer, transfers the information from his or her old computer, and then recycles the old one--HDD and all! Worst-case scenario, your files get recovered by a nefarious individual who blackmails you or your clients! OUCH!

Moral Of The Story

First, make sure you clean all your personal files from your HDD. Clean is the optimal term. Clean does not mean deleting files and/or formatting the drive. Here is how the process works:

  • Deleting a file moves it from an active file to the recycle bin, from which it can easily be restored.
  • Emptying the recycle bin basically frees the cluster that was occupied by that file, and makes the cluster available to accept other data.
  • The file, basically, then becomes an unallocated cluster, and is available to have data written to it, and the new data will effectively wipe over the file, but generally not the entire file, leaving a portion in what is called slack space.
  • Formatting the HDD zeros out the root directory and the FAT (File Allocation Table), which may be effective for the casual user, but does not erase the data.

What Do I Do?

The data needs to be made secure from prying eyes. Personally, I recommend disassembling the drive, beating it with a sledgehammer, and depositing the remains in the deep-water submarine channel between San Pedro and Catalina Island. I've heard other recommendations, burning for example. But burning the drive won't work unless you have a smelter; the platters within are high-grade glass and can withstand extreme heat before actually melting. There really are only three reliable methods to protect your data.

  1. A magnet. The data on today's HDDs is a thin layer of electromagnetic material that coats each platter. A powerful, industrial strength magnet will effectively corrupt the data, or so I've been told--never tried it myself, but I have confidence in what I've been told.

This may seem somewhat extreme, or too much bother for most people, so we'll move to the more common approaches:

  1. Wipe the drive using a software program designed for this purpose. There are a number of them on the market, and to give a recommendation may be a conflict considering my business, but your local software computer store can make a recommendation. The program will probably give you the option to wipe with a specific character, and will allow you to designate a single wipe or multiple wipes. In my experience, a single wipe is sufficient if done correctly. The reason for this is that I do not know of a private sector lab in the country that has the resources to recover data from a truly wiped drive; that is NSA level stuff. But if you are worried about the data being discovered by the NSA you can opt for the DOD wipe standard. The only difference is that it takes longer to make multiple passes over the data, but it is much more secure.
  2. Keep the HDD in storage. An added benefit to this is that you always have a record of what data was on the computer when you upgraded, which is not a bad idea. And at the minimal price of HDDs today, this seems like a wise choice.

REMEMBER: The point is to make sure that you are not giving away your data!